[英]php script prevent direct access
I am using ajax to get value from php scripts (for example cost.php) and i know it would be easy to access it directly and get that value. 我正在使用ajax从php脚本中获取价值(例如cost.php),我知道直接访问它并获取该价值将很容易。 I am even running cron job on same script(cost.php) so cron job would not work if i use following...
我什至在同一脚本(cost.php)上运行cron作业,因此如果我使用以下命令,cron作业将无法工作...
if(!empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') {
//code here
die('Invalid Request!');
}
Is this the safe way to prevent, and cron jobs would not work if i use the above code, so what can i use to secure value from end user. 这是预防的安全方法吗,如果我使用上面的代码,cron作业将无法工作,那么我可以用来确保最终用户的价值。 thanks.
谢谢。
In order to separate execution of cronjob, you can consider to use php_sapi_name 为了分开执行cronjob,可以考虑使用php_sapi_name
A simple usage (more reliable that depend on server side variables) :- 一种简单用法(更可靠,取决于服务器端变量):
if (php_sapi_name() == "cli") // via cronjob or via cli
{
die("invalid request");
}
PS: constant PHP_SAPI carry the same value, so you can rewrite to :- PS:常量PHP_SAPI带有相同的值,因此您可以重写为:-
if (PHP_SAPI == "cli")
{
die("invalid request");
}
Add this at the top of code to stop direct script access. 在代码顶部添加此代码可停止直接脚本访问。
if (!defined('BASEPATH')) exit('No direct script access allowed');
If you want to allow AJAX requests then, 如果您想允许AJAX请求,
if (!defined('BASEPATH') &&
strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) != 'xmlhttprequest')
exit('You are not allowed here...');
if (!eregi('cost.php',basename($_SERVER["REQUEST_URI"]))) { die('access denied'); }
Use a secret password for the cronjob 为cronjob使用秘密密码
if (isset($_REQUEST['cronpw']) && $_REQUEST['cronpw'] == 'supersecret')
{
// this is the cronjob
}
else
{
// this not
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.